Shell script containing passwords.

Eric F Crist ecrist at
Tue Feb 10 09:05:17 PST 2004

On Tuesday 10 February 2004 09:28 am, Lewis Thompson wrote:
> On Tue, Feb 10, 2004 at 10:12:09AM -0500, Lowell Gilbert wrote:
> > Lewis Thompson <purple at> writes:
> > >   I am worried that because the script must be read/writeable by the
> > > Apache user (www) that anybody that can write a PHP script on my
> > > machine can read the auth script and read the passwords that would be
> > > contained within -- those to my MySQL server.
> >
> > Why would the script be readable or writeable by any user?
> > It only needs to be executable, right?
> Well, since it's an interpreted script (it's some standalone PHP) in
> order to execute it, the user must be able to read it.  Since the script
> holds passwds that means that any user with the ability to run it can
> get the passwds (in my case to access my MySQL server).
>   This is a ``flaw'' with the way Apache works because everything Apache
> executes must be +rw for the Apache user (www).  As a result any person
> able to write PHP code (all of my users) can read anything that the
> Apache user can, because mod_php executes as the Apache user.
>   There are security features in PHP (safe_mode) but these conflict with
> a large number of PHP scripts.  I'm trying to work it out this way now
> but it's a lot of hassle.
>   Thanks for your response,
> -lewiz.

Check the syntax for the .htaccess files in the httpd.conf file.  This is a 
file that must be non-readable by regular users via php, but apache has a 
filter written within the httpd.conf file to disallow access.  I know it's 
about 3/4 of the way down the page.


Eric F Crist
AdTech Integrated Systems, Inc
(612) 998-3588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: signature
Url :

More information about the freebsd-questions mailing list